US20090172794A1 - Location bound secure domains - Google Patents

Location bound secure domains Download PDF

Info

Publication number
US20090172794A1
US20090172794A1 US11/967,592 US96759207A US2009172794A1 US 20090172794 A1 US20090172794 A1 US 20090172794A1 US 96759207 A US96759207 A US 96759207A US 2009172794 A1 US2009172794 A1 US 2009172794A1
Authority
US
United States
Prior art keywords
certificate
virtual machine
processor
programming interface
application programming
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/967,592
Other versions
US9223938B2 (en
Inventor
James B. McGUIRE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Google Technology Holdings LLC
Original Assignee
Motorola Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc filed Critical Motorola Inc
Priority to US11/967,592 priority Critical patent/US9223938B2/en
Assigned to MOTOROLA, INC. reassignment MOTOROLA, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCGUIRE, JAMES B.
Publication of US20090172794A1 publication Critical patent/US20090172794A1/en
Assigned to Motorola Mobility, Inc reassignment Motorola Mobility, Inc ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOTOROLA, INC
Assigned to MOTOROLA MOBILITY LLC reassignment MOTOROLA MOBILITY LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOTOROLA MOBILITY, INC.
Priority to US13/931,895 priority patent/US20130291091A1/en
Assigned to Google Technology Holdings LLC reassignment Google Technology Holdings LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOTOROLA MOBILITY LLC
Application granted granted Critical
Publication of US9223938B2 publication Critical patent/US9223938B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1013Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to locations

Definitions

  • the present invention relates to a method and system for secure operation of a virtual machine application on a mobile device.
  • the present invention further relates to controlling access by the virtual machine application to application programming interfaces.
  • Java® Platform, Micro Edition is a subset of the Java specification directed towards resource-constrained environments, such as mobile computing devices, mobile telephones, handheld computers, and similar portable devices.
  • One specification for the Java ME® is a mobile information device profile (MIDP).
  • MIDP mobile information device profile
  • a virtual machine under the MIDP for mobile computing devices, referred to as a MIDlet, may be downloaded onto a mobile computing device. Including a signed electronic certificate may increase the security of executing these MIDlets.
  • a method, apparatus, and electronic device with secure operation based on geography are disclosed.
  • a positioning mechanism may determine a geographic location.
  • a processor may identify a secure domain for a virtual machine application.
  • the processor may determine an availability of an application programming interface for the virtual machine application based on the geographic location.
  • FIG. 1 illustrates in a block diagram one embodiment of a handheld device that may be used to implement the communication protocol management method.
  • FIG. 2 illustrates in a block diagram one embodiment of a system for downloading a virtual machine application to a mobile computing device.
  • FIG. 3 illustrates in a block diagram one embodiment of a software configuration of a mobile computing device.
  • FIG. 4 illustrates in a block diagram one embodiment of a system for locating a mobile computing device.
  • FIG. 5 illustrates in a flowchart one embodiment of a method for certifying a virtual machine application for a mobile computing device based on location.
  • FIG. 6 illustrates in a flowchart one embodiment of a method for controlling access to an application programming interface based on location.
  • the present invention comprises a variety of embodiments, such as a method, an apparatus, and an electronic device, and other embodiments that relate to the basic concepts of the invention.
  • the electronic device may be any manner of computer, mobile device, or wireless communication device.
  • a method, apparatus, and electronic device with secure operation based on geography are disclosed.
  • a positioning mechanism may determine a geographic location for the apparatus or electronic device.
  • a processor may identify a secure domain for a virtual machine application. The processor may determine an availability of an application programming interface for the virtual machine application based on the geographic location.
  • FIG. 1 illustrates in a block diagram one embodiment of a handheld device 100 that may be used to execute a virtual machine application.
  • the handheld device 100 may access the information or data stored in a network.
  • the handheld device 100 may support one or more applications for performing various communications with the network.
  • the handheld device 100 may implement any operating system, such as Windows or UNIX, for example.
  • Client and server software may be written in any programming language, such as C, C++, Java or Visual Basic, for example.
  • the handheld device 100 may be a mobile phone, a laptop, a personal digital assistant (PDA), or other portable device.
  • the handheld device 100 may be a WiFi® capable device, which may be used to access the network for data or by voice using voice over internet protocol (VOIP).
  • VOIP voice over internet protocol
  • the handheld device 100 may include a transceiver 102 to send and receive data over the network.
  • the handheld device 100 may include a controller or processor 104 that executes stored programs.
  • the controller or processor 104 may be any programmed processor known to one of skill in the art.
  • the decision support method may also be implemented on a general-purpose or a special purpose computer, a programmed microprocessor or microcontroller, peripheral integrated circuit elements, an application-specific integrated circuit or other integrated circuits, hardware/electronic logic circuits, such as a discrete element circuit, a programmable logic device, such as a programmable logic array, field programmable gate-array, or the like.
  • any device or devices capable of implementing the decision support method as described herein can be used to implement the decision support system functions of this invention.
  • the handheld device 100 may also include a volatile memory 106 and a non-volatile memory 108 to be used by the processor 104 .
  • the volatile 106 and nonvolatile data memory storage 108 may include one or more electrical, magnetic or optical memories such as a random access memory (RAM), cache, hard drive, or other memory device.
  • RAM random access memory
  • the memory may have a cache to speed access to specific data.
  • the memory may also be connected to a compact disc-read only memory (CD-ROM), digital video disc-read only memory DVD-ROM), DVD read write input, tape drive or other removable memory device that allows media content to be directly uploaded into the system.
  • the handheld device 100 may include a user input interface 110 that may comprise elements such as a keypad, display, touch screen, or any other device that accepts input.
  • the handheld device 100 may also include a user output device that may comprise a display screen and an audio interface 112 that may comprise elements such as a microphone, earphone, and speaker.
  • the handheld device 100 also may include a component interface 114 to which additional elements may be attached, for example, a universal serial bus (USB) interface or an audio-video capture mechanism.
  • the handheld device 100 may include a power supply 116 .
  • Client software and databases may be accessed by the controller or processor 104 from the memory, and may include, for example, database applications, word processing applications, video processing applications as well as components that embody the decision support functionality of the present invention.
  • the user access data may be stored in either a database accessible through a database interface or in the memory.
  • the handheld device 100 may implement any operating system, such as Windows or UNIX, for example.
  • Client and server software may be written in any programming language, such as ABAP, C, C++, Java or Visual Basic, for example.
  • a mobile computing device (MCD) 100 may download a virtual machine application to be executed on the MCD 100 .
  • the MCD 100 may be running ajavaiR Micro Edition (ME) with a mobile information device profile (MIDP) specification, allowing it to use mobile information device (MID) virtual machine applications called MIDlets.
  • ME JavaiR Micro Edition
  • MIDP mobile information device profile
  • MIDlets By using electronically signed certificates with the MIDlets, the MCD 100 may be assured of a higher level of security on the machine. Unsigned MIDlets may be used, but may be granted a lower level of access to various functions of the MCD 100 .
  • the security of the MIDlet may be further increased by limiting the availability of a native function of the MCD 100 to the MIDlet, such as an application programming interface (API).
  • a MCD 100 may improve security while using a MIDlet by employing a secure domain, a set of permissions regarding various functions or APIs that may be assigned to a MIDlet.
  • the secure domains may have an allowed permission, granting unfettered access to an API; user permission, granting access upon user approval; or denial, barring the MIDlet from using that API.
  • the user permissions may be set at various level of interaction modes, such as blanket, wherein the MIDlet has access to that API for the length of installation; session, wherein the MIDlet has access to that API for as long as the MIDlet is running; or one shot, wherein the MIDlet must ask permission for each use of the API.
  • FIG. 2 illustrates in a block diagram one embodiment of a system 200 for downloading a virtual machine application to a mobile computing device.
  • a developer 202 may create a virtual machine application, or MIDlet, and attach a signed electronic certificate.
  • the developer 202 may transfer the virtual machine application to a download center 204 .
  • a user 206 may request a download of the virtual machine application from the download center 204 .
  • the download center 204 may download the virtual machine application to a handheld device 100 of the user 206 .
  • the user may then send an installation status report to the download center 204 .
  • the user 206 may then verify the signature of the certificate and install the virtual machine application on the handheld device 100 .
  • the user 206 may then use the virtual machine application, possibly in interaction with a web server 208 .
  • FIG. 3 illustrates in a block diagram one embodiment of a software configuration 300 of a MCD 100 , such Java ME® 302 .
  • a MCD 100 may run a host operating system 302 as a basis for implementing all other software applications.
  • the host operating system 302 may be used in conjunction with a configuration 304 and profile 306 to run the various virtual machine applications.
  • the configuration 304 may include a coherent virtual machine (CVM) 310 , a connected limited device configuration (CLDC) virtual machine (VM) 312 , and a kilobyte virtual machine (KVM) 314 .
  • a connected device configuration (CDC) library 316 may support a CVM 310
  • a CLDC library 318 may support the CLDC VM 312 and the KVM 314 .
  • the profile 308 may include personal profile 320 and a personal basis profile 322 .
  • the personal basis profile 322 may be a subset of the personal profile 320 . Both the personal profile 320 and the personal basis profile 322 may be based on a foundation profile 324 .
  • the profile 308 may include a remote method invocation profile 326 .
  • the profile 308 may further include a MIDP 328 with access to a portable data acquisition package (PDAP) 330 .
  • PDAP portable data acquisition package
  • Secure domains may be used to control the access that MIDlets downloaded onto MCD 100 may have to various APIs. These secure domains may be expanded to take into account environmental factors. One such factor that may be used to adjust a secure domain on a continuing basis is location. Other environmental factors that may be used to determine the scope of a secure domain include communication signal strength, communication signal encryption strength, device temperature, power level, or other environmental factors that may have an effect on the security or stability of the device as the MIDlet uses the API.
  • a sensor may be used to determine if the correct environmental factor is present for the MIDlet to be present in the secure domain, using a specified API.
  • a positioning mechanism may be integrated into a MCD 100 , particularly through the component interface 114 .
  • FIG. 4 illustrates in a block diagram one embodiment of a system 400 for locating a MCD 100 .
  • An MCD 100 that is in regular contact with telecommunication cells 402 may use those cells to triangulate a position for the MCD 100 .
  • a global positioning system (GPS) locator device 404 connected to the component interface 114 of the MCD 100 may connect with GPS satellites 406 to determine a position of the MCD 100 .
  • GPS global positioning system
  • FIG. 5 illustrates in a flowchart one embodiment of a method 500 for certifying a virtual machine application for a mobile computing device based on location.
  • a MCD 100 may receive a certificate associated with a VM application (VMA), or MIDlet, upon the downloading of the VMA (Block 502 ).
  • the MCD 100 may decode the certificate (Block 504 ).
  • the certificate may include an identifier (ID).
  • ID may be device specific to bind the VMA to a specific device, or location specific to bind use of the VMA to specific location. If the ID is a device specific ID (Block 506 ), the MCD 100 may compare the device ID (DID) to the ID of the MCD 100 (Block 508 ).
  • the MCD 100 may determine the location of the MCD 100 (Block 510 ). The MCD 100 may compare the location ID (LID) to the location of the MCD 100 (Block 512 ). The MCD 100 may use these comparisons to determine the validity of the certificate for that device (Block 514 ).
  • FIG. 6 illustrates in a flowchart one embodiment of a method 600 for controlling access to an application programming interface based on location.
  • the MCD 100 may identify the secure domain for that VMA (Block 602 ).
  • the secure domain being contingent upon an environmental factor of the MCD 100
  • the MCD 100 may measure the environmental factor (EF), such as the location, of the MCD 100 (Block 604 ).
  • the VMA running on the MCD 100 may seek to access an API or other function (Block 606 ).
  • the MCD 100 may determine the availability of the API based upon the measurement of an environmental factor of the device (Block 608 ).
  • An API may be removed from a secure domain if a specified environmental factor, such as correct geographic location, is present or added to a secure domain in others. If the API is not available (Block 610 ), the MCD 100 may deny the VMA the use of that API (Block 612 ). If the API is available (Block 610 ), the MCD 100 may allow the VMA the use of that API (Block 614 ).
  • Embodiments may also be practiced in distributed computing environments where tasks are performed by local and remote processing devices that are linked (either by hardwired links, wireless links, or by a combination thereof through a communications network.
  • Embodiments within the scope of the present invention may also include computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
  • Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer.
  • Such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures.
  • a network or another communications connection either hardwired, wireless, or combination thereof to a computer, the computer properly views the connection as a computer-readable medium.
  • any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of the computer-readable media.
  • Computer-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.
  • Computer-executable instructions also include program modules that are executed by computers in stand-alone or network environments.
  • program modules include routines, programs, objects, components, and data structures, etc. that perform particular tasks or implement particular abstract data types.
  • Computer-executable instructions, associated data structures, and program modules represent examples of the program code means for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, apparatus, and electronic device with secure operation based on geography are disclosed. A positioning mechanism 404 may determine a geographic location of the apparatus or electronic device. A processor 104 may identify a secure domain for a virtual machine application. The processor 104 may determine an availability of an application programming interface for the virtual machine application based on the geographic location.

Description

    FIELD OF THE INVENTION
  • The present invention relates to a method and system for secure operation of a virtual machine application on a mobile device. The present invention further relates to controlling access by the virtual machine application to application programming interfaces.
    • INTRODUCTION
  • Java® Platform, Micro Edition (ME) is a subset of the Java specification directed towards resource-constrained environments, such as mobile computing devices, mobile telephones, handheld computers, and similar portable devices. One specification for the Java ME® is a mobile information device profile (MIDP). A virtual machine under the MIDP for mobile computing devices, referred to as a MIDlet, may be downloaded onto a mobile computing device. Including a signed electronic certificate may increase the security of executing these MIDlets.
    • SUMMARY OF THE INVENTION
  • A method, apparatus, and electronic device with secure operation based on geography are disclosed. A positioning mechanism may determine a geographic location. A processor may identify a secure domain for a virtual machine application. The processor may determine an availability of an application programming interface for the virtual machine application based on the geographic location.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In order to describe the manner in which the above-recited and other advantages and features of the invention can be obtained, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered to be limiting of its scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
  • FIG. 1 illustrates in a block diagram one embodiment of a handheld device that may be used to implement the communication protocol management method.
  • FIG. 2 illustrates in a block diagram one embodiment of a system for downloading a virtual machine application to a mobile computing device.
  • FIG. 3 illustrates in a block diagram one embodiment of a software configuration of a mobile computing device.
  • FIG. 4 illustrates in a block diagram one embodiment of a system for locating a mobile computing device.
  • FIG. 5 illustrates in a flowchart one embodiment of a method for certifying a virtual machine application for a mobile computing device based on location.
  • FIG. 6 illustrates in a flowchart one embodiment of a method for controlling access to an application programming interface based on location.
    •  DETAILED DESCRIPTION OF THE INVENTION
  • Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth herein.
  • Various embodiments of the invention are discussed in detail below. While specific implementations are discussed, it should be understood that this is done for illustration purposes only. A person skilled in the relevant art will recognize that other components and configurations may be used without parting from the spirit and scope of the invention.
  • The present invention comprises a variety of embodiments, such as a method, an apparatus, and an electronic device, and other embodiments that relate to the basic concepts of the invention. The electronic device may be any manner of computer, mobile device, or wireless communication device.
  • A method, apparatus, and electronic device with secure operation based on geography are disclosed. A positioning mechanism may determine a geographic location for the apparatus or electronic device. A processor may identify a secure domain for a virtual machine application. The processor may determine an availability of an application programming interface for the virtual machine application based on the geographic location.
  • FIG. 1 illustrates in a block diagram one embodiment of a handheld device 100 that may be used to execute a virtual machine application. The handheld device 100 may access the information or data stored in a network. The handheld device 100 may support one or more applications for performing various communications with the network. The handheld device 100 may implement any operating system, such as Windows or UNIX, for example. Client and server software may be written in any programming language, such as C, C++, Java or Visual Basic, for example. The handheld device 100 may be a mobile phone, a laptop, a personal digital assistant (PDA), or other portable device. For some embodiments of the present invention, the handheld device 100 may be a WiFi® capable device, which may be used to access the network for data or by voice using voice over internet protocol (VOIP). The handheld device 100 may include a transceiver 102 to send and receive data over the network.
  • The handheld device 100 may include a controller or processor 104 that executes stored programs. The controller or processor 104 may be any programmed processor known to one of skill in the art. However, the decision support method may also be implemented on a general-purpose or a special purpose computer, a programmed microprocessor or microcontroller, peripheral integrated circuit elements, an application-specific integrated circuit or other integrated circuits, hardware/electronic logic circuits, such as a discrete element circuit, a programmable logic device, such as a programmable logic array, field programmable gate-array, or the like. In general, any device or devices capable of implementing the decision support method as described herein can be used to implement the decision support system functions of this invention.
  • The handheld device 100 may also include a volatile memory 106 and a non-volatile memory 108 to be used by the processor 104. The volatile 106 and nonvolatile data memory storage 108 may include one or more electrical, magnetic or optical memories such as a random access memory (RAM), cache, hard drive, or other memory device. The memory may have a cache to speed access to specific data. The memory may also be connected to a compact disc-read only memory (CD-ROM), digital video disc-read only memory DVD-ROM), DVD read write input, tape drive or other removable memory device that allows media content to be directly uploaded into the system.
  • The handheld device 100 may include a user input interface 110 that may comprise elements such as a keypad, display, touch screen, or any other device that accepts input. The handheld device 100 may also include a user output device that may comprise a display screen and an audio interface 112 that may comprise elements such as a microphone, earphone, and speaker. The handheld device 100 also may include a component interface 114 to which additional elements may be attached, for example, a universal serial bus (USB) interface or an audio-video capture mechanism. Finally, the handheld device 100 may include a power supply 116.
  • Client software and databases may be accessed by the controller or processor 104 from the memory, and may include, for example, database applications, word processing applications, video processing applications as well as components that embody the decision support functionality of the present invention. The user access data may be stored in either a database accessible through a database interface or in the memory. The handheld device 100 may implement any operating system, such as Windows or UNIX, for example. Client and server software may be written in any programming language, such as ABAP, C, C++, Java or Visual Basic, for example.
  • A mobile computing device (MCD) 100 may download a virtual machine application to be executed on the MCD 100. The MCD 100 may be running ajavaiR Micro Edition (ME) with a mobile information device profile (MIDP) specification, allowing it to use mobile information device (MID) virtual machine applications called MIDlets. By using electronically signed certificates with the MIDlets, the MCD 100 may be assured of a higher level of security on the machine. Unsigned MIDlets may be used, but may be granted a lower level of access to various functions of the MCD 100.
  • The security of the MIDlet may be further increased by limiting the availability of a native function of the MCD 100 to the MIDlet, such as an application programming interface (API). A MCD 100 may improve security while using a MIDlet by employing a secure domain, a set of permissions regarding various functions or APIs that may be assigned to a MIDlet. The secure domains may have an allowed permission, granting unfettered access to an API; user permission, granting access upon user approval; or denial, barring the MIDlet from using that API. The user permissions may be set at various level of interaction modes, such as blanket, wherein the MIDlet has access to that API for the length of installation; session, wherein the MIDlet has access to that API for as long as the MIDlet is running; or one shot, wherein the MIDlet must ask permission for each use of the API.
  • FIG. 2 illustrates in a block diagram one embodiment of a system 200 for downloading a virtual machine application to a mobile computing device. A developer 202 may create a virtual machine application, or MIDlet, and attach a signed electronic certificate. The developer 202 may transfer the virtual machine application to a download center 204. A user 206 may request a download of the virtual machine application from the download center 204. The download center 204 may download the virtual machine application to a handheld device 100 of the user 206. The user may then send an installation status report to the download center 204. The user 206 may then verify the signature of the certificate and install the virtual machine application on the handheld device 100. The user 206 may then use the virtual machine application, possibly in interaction with a web server 208.
  • FIG. 3 illustrates in a block diagram one embodiment of a software configuration 300 of a MCD 100, such Java ME® 302. A MCD 100 may run a host operating system 302 as a basis for implementing all other software applications. The host operating system 302 may be used in conjunction with a configuration 304 and profile 306 to run the various virtual machine applications. The configuration 304 may include a coherent virtual machine (CVM) 310, a connected limited device configuration (CLDC) virtual machine (VM) 312, and a kilobyte virtual machine (KVM) 314. A connected device configuration (CDC) library 316 may support a CVM 310, while a CLDC library 318 may support the CLDC VM 312 and the KVM 314. The profile 308 may include personal profile 320 and a personal basis profile 322. The personal basis profile 322 may be a subset of the personal profile 320. Both the personal profile 320 and the personal basis profile 322 may be based on a foundation profile 324. The profile 308 may include a remote method invocation profile 326. The profile 308 may further include a MIDP 328 with access to a portable data acquisition package (PDAP) 330.
  • The use of such a configuration may create a greater flexibility with which to use a MCD 100. Secure domains may be used to control the access that MIDlets downloaded onto MCD 100 may have to various APIs. These secure domains may be expanded to take into account environmental factors. One such factor that may be used to adjust a secure domain on a continuing basis is location. Other environmental factors that may be used to determine the scope of a secure domain include communication signal strength, communication signal encryption strength, device temperature, power level, or other environmental factors that may have an effect on the security or stability of the device as the MIDlet uses the API.
  • A sensor may be used to determine if the correct environmental factor is present for the MIDlet to be present in the secure domain, using a specified API. For example, a positioning mechanism may be integrated into a MCD 100, particularly through the component interface 114. FIG. 4 illustrates in a block diagram one embodiment of a system 400 for locating a MCD 100. An MCD 100 that is in regular contact with telecommunication cells 402 may use those cells to triangulate a position for the MCD 100. Additionally, a global positioning system (GPS) locator device 404 connected to the component interface 114 of the MCD 100 may connect with GPS satellites 406 to determine a position of the MCD 100.
  • FIG. 5 illustrates in a flowchart one embodiment of a method 500 for certifying a virtual machine application for a mobile computing device based on location. A MCD 100 may receive a certificate associated with a VM application (VMA), or MIDlet, upon the downloading of the VMA (Block 502). The MCD 100 may decode the certificate (Block 504). The certificate may include an identifier (ID). The ID may be device specific to bind the VMA to a specific device, or location specific to bind use of the VMA to specific location. If the ID is a device specific ID (Block 506), the MCD 100 may compare the device ID (DID) to the ID of the MCD 100 (Block 508). If the ID is a location specific ID (Block 506), the MCD 100 may determine the location of the MCD 100 (Block 510). The MCD 100 may compare the location ID (LID) to the location of the MCD 100 (Block 512). The MCD 100 may use these comparisons to determine the validity of the certificate for that device (Block 514).
  • FIG. 6 illustrates in a flowchart one embodiment of a method 600 for controlling access to an application programming interface based on location. Upon receiving the certificate associated with the VMA, the MCD 100 may identify the secure domain for that VMA (Block 602). The secure domain being contingent upon an environmental factor of the MCD 100, the MCD 100 may measure the environmental factor (EF), such as the location, of the MCD 100 (Block 604). The VMA running on the MCD 100 may seek to access an API or other function (Block 606). The MCD 100 may determine the availability of the API based upon the measurement of an environmental factor of the device (Block 608). An API may be removed from a secure domain if a specified environmental factor, such as correct geographic location, is present or added to a secure domain in others. If the API is not available (Block 610), the MCD 100 may deny the VMA the use of that API (Block 612). If the API is available (Block 610), the MCD 100 may allow the VMA the use of that API (Block 614).
  • Embodiments may also be practiced in distributed computing environments where tasks are performed by local and remote processing devices that are linked (either by hardwired links, wireless links, or by a combination thereof through a communications network.
  • Embodiments within the scope of the present invention may also include computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or combination thereof to a computer, the computer properly views the connection as a computer-readable medium. Thus, any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of the computer-readable media.
  • Computer-executable instructions include, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Computer-executable instructions also include program modules that are executed by computers in stand-alone or network environments. Generally, program modules include routines, programs, objects, components, and data structures, etc. that perform particular tasks or implement particular abstract data types. Computer-executable instructions, associated data structures, and program modules represent examples of the program code means for executing steps of the methods disclosed herein. The particular sequence of such executable instructions or associated data structures represents examples of corresponding acts for implementing the functions described in such steps.
  • Although the above description may contain specific details, they should not be construed as limiting the claims in any way. Other configurations of the described embodiments of the invention are part of the scope of this invention. For example, the principles of the invention may be applied to each individual user where each user may individually deploy such a system. This enables each user to utilize the benefits of the invention even if any one of the large number of possible applications do not need the functionality described herein. In other words, there may be multiple instances of the electronic devices each processing the content in various possible ways. It does not necessarily need to be one system used by all end users. Accordingly, the appended claims and their legal equivalents should only define the invention, rather than any specific examples given.

Claims (20)

1. A method for secure operation based on geography, comprising:
identifying a secure domain for a virtual machine application on the mobile client device;
determining a geographic location for the mobile client device; and
determining an availability of an application programming interface for the virtual machine application based on the geographic location.
2. The method of claim 1, further comprising:
allowing access to the application programming interface within a geographic region.
3. The method of claim 1, further comprising:
denying access to the application programming interface within a geographic region.
4. The method of claim 1, further comprising:
receiving a certificate associated with the virtual machine application; and
determining the secure domain based upon the certificate.
5. The method of claim 4, further comprising:
identifying the certificate as valid based upon a device identifier associated with the certificate.
6. The method of claim 4, further comprising:
identifying the certificate as valid based upon a geographic identifier associated with the certificate.
7. The method of claim 1, wherein the geographic location is determined using at least one of a global positioning system locator or telecommunication cell triangulation.
8. A telecommunications apparatus with secure operation based on geography, comprising:
a positioning mechanism that determines a geographic location for the telecommunications apparatus; and
a processor that identifies a secure domain for a virtual machine application and determines an availability of an application programming interface for the virtual machine application based on the geographic location.
9. The telecommunications apparatus of claim 8, wherein the processor allows access to the application programming interface within a geographic region.
10. The telecommunications apparatus of claim 8, wherein the processor denies access to the application programming interface within a geographic region.
11. The telecommunications apparatus of claim 8, further comprising
a transceiver that receives a certificate associated with the virtual machine application, the certificate being a basis for the secure domain.
12. The telecommunications apparatus of claim 11, wherein the processor identifies the certificate as valid based upon a device identifier associated with the certificate.
13. The telecommunications apparatus of claim 11, wherein the processor identifies the certificate as valid based upon a geographic identifier associated with the certificate.
14. The telecommunications apparatus of claim 8, wherein the positioning mechanism is a global positioning system locator.
15. An electronic device with secure operation features, comprising:
a sensor that detects an environmental factor; and
a processor that identifies a secure domain for a virtual machine application and determines an availability of an application programming interface for the virtual machine application based on the environmental factor.
16. The electronic device of claim 15, wherein the sensor is a positioning mechanism and the environmental factor is geographic location.
17. The electronic device of claim 16, wherein the processor allows access to the application programming interface within a geographic region.
18. The electronic device of claim 16, wherein the processor denies access to the application programming interface within a geographic region.
19. The electronic device of claim 16, further comprising
a transceiver that receives a certificate associated with the virtual machine application, the certificate being a basis for the secure domain.
20. The electronic device of claim 19, wherein the processor identifies the certificate as valid based upon a geographic identifier associated with the certificate.
US11/967,592 2007-12-31 2007-12-31 Location bound secure domains Active 2031-09-24 US9223938B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/967,592 US9223938B2 (en) 2007-12-31 2007-12-31 Location bound secure domains
US13/931,895 US20130291091A1 (en) 2007-12-31 2013-06-29 Location Bound Secure Domains

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/967,592 US9223938B2 (en) 2007-12-31 2007-12-31 Location bound secure domains

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/931,895 Continuation-In-Part US20130291091A1 (en) 2007-12-31 2013-06-29 Location Bound Secure Domains

Publications (2)

Publication Number Publication Date
US20090172794A1 true US20090172794A1 (en) 2009-07-02
US9223938B2 US9223938B2 (en) 2015-12-29

Family

ID=40800394

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/967,592 Active 2031-09-24 US9223938B2 (en) 2007-12-31 2007-12-31 Location bound secure domains

Country Status (1)

Country Link
US (1) US9223938B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100049851A1 (en) * 2008-08-19 2010-02-25 International Business Machines Corporation Allocating Resources in a Distributed Computing Environment
EP2785002A1 (en) * 2013-03-28 2014-10-01 Nokia Solutions and Networks Oy Geoscoping for enhancing security in public warning systems
US10318727B2 (en) * 2016-03-10 2019-06-11 Fujitsu Limited Management device, management method, and computer-readable recording medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180096130A1 (en) * 2016-09-30 2018-04-05 Salesforce.Com, Inc. Associating multiple e-learning development environments with a single user

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030228866A1 (en) * 2002-05-24 2003-12-11 Farhad Pezeshki Mobile terminal system
US20040025022A1 (en) * 2000-09-21 2004-02-05 Yach David P Code signing system and method
US20050086661A1 (en) * 2003-10-21 2005-04-21 Monnie David J. Object synchronization in shared object space
US20060082801A1 (en) * 2004-10-18 2006-04-20 Tsutomu Ohishi Image forming apparatus, information processing method, information processing program and recording medium
US20060236258A1 (en) * 2003-08-11 2006-10-19 Core Mobility, Inc. Scheduling of rendering of location-based content
US20080100610A1 (en) * 2006-10-26 2008-05-01 Konica Minolta Business Technologies, Inc. Image processing device and computer-readable medium storing program
US20080140160A1 (en) * 2006-12-06 2008-06-12 Medtronic, Inc. Intelligent discovery of medical devices by a programming system
US20080222707A1 (en) * 2007-03-07 2008-09-11 Qualcomm Incorporated Systems and methods for controlling service access on a wireless communication device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060105758A1 (en) 2004-11-15 2006-05-18 Maislos Ruben E Method and apparatus to disable function of mobile station

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040025022A1 (en) * 2000-09-21 2004-02-05 Yach David P Code signing system and method
US8489868B2 (en) * 2000-09-21 2013-07-16 Research In Motion Limited Software code signing system and method
US20030228866A1 (en) * 2002-05-24 2003-12-11 Farhad Pezeshki Mobile terminal system
US20060236258A1 (en) * 2003-08-11 2006-10-19 Core Mobility, Inc. Scheduling of rendering of location-based content
US20050086661A1 (en) * 2003-10-21 2005-04-21 Monnie David J. Object synchronization in shared object space
US20060082801A1 (en) * 2004-10-18 2006-04-20 Tsutomu Ohishi Image forming apparatus, information processing method, information processing program and recording medium
US20080100610A1 (en) * 2006-10-26 2008-05-01 Konica Minolta Business Technologies, Inc. Image processing device and computer-readable medium storing program
US20080140160A1 (en) * 2006-12-06 2008-06-12 Medtronic, Inc. Intelligent discovery of medical devices by a programming system
US20080222707A1 (en) * 2007-03-07 2008-09-11 Qualcomm Incorporated Systems and methods for controlling service access on a wireless communication device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100049851A1 (en) * 2008-08-19 2010-02-25 International Business Machines Corporation Allocating Resources in a Distributed Computing Environment
US8266254B2 (en) * 2008-08-19 2012-09-11 International Business Machines Corporation Allocating resources in a distributed computing environment
EP2785002A1 (en) * 2013-03-28 2014-10-01 Nokia Solutions and Networks Oy Geoscoping for enhancing security in public warning systems
US10318727B2 (en) * 2016-03-10 2019-06-11 Fujitsu Limited Management device, management method, and computer-readable recording medium

Also Published As

Publication number Publication date
US9223938B2 (en) 2015-12-29

Similar Documents

Publication Publication Date Title
JP4833620B2 (en) Licensing based on location information
US8763080B2 (en) Method and devices for managing permission requests to allow access to a computing resource
US8943550B2 (en) File system access for one or more sandboxed applications
US9112866B2 (en) Methods and devices for controlling access to computing resources
KR101089353B1 (en) Apparatus and methods for client-driven server-side installation
US20160119323A1 (en) Single sign on for native and wrapped web resources on mobile devices
US20100313196A1 (en) Managing securely installed applications
CA2778737C (en) Method and devices for managing permission requests to allow access to computing resource
KR100883699B1 (en) Execution of unverified programs in a wireless device operating environment
US20060137007A1 (en) Revoking a permission for a program
JP2007505559A (en) Method and apparatus for content protection in a wireless network
KR20060048474A (en) System and method for providing security to an application
KR20040015703A (en) Using permissions to allocate device resources to an application
JP2007510235A (en) Method and apparatus for supplying application credentials
US8707337B2 (en) Dispatch API that permits midlets to initiate dispatch calls
US9223938B2 (en) Location bound secure domains
CN104866743A (en) Method and device for calling interface in browser
US9455972B1 (en) Provisioning a mobile device with a security application on the fly
US11670303B2 (en) Staged user enrollment using audio devices
CA2778736C (en) Methods and devices for controlling access to computing resources
US20110145840A1 (en) Method and device for permitting secure use of program modules
US20130291091A1 (en) Location Bound Secure Domains
Ji et al. Mobile device management system with portable devices
CN112333134A (en) Cryptographically secure dynamic third party resources
US20080127315A1 (en) System and method for protecting copyrights of digital content

Legal Events

Date Code Title Description
AS Assignment

Owner name: MOTOROLA, INC., ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCGUIRE, JAMES B.;REEL/FRAME:020624/0544

Effective date: 20080131

AS Assignment

Owner name: MOTOROLA MOBILITY, INC, ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOTOROLA, INC;REEL/FRAME:025673/0558

Effective date: 20100731

AS Assignment

Owner name: MOTOROLA MOBILITY LLC, ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOTOROLA MOBILITY, INC.;REEL/FRAME:028829/0856

Effective date: 20120622

AS Assignment

Owner name: GOOGLE TECHNOLOGY HOLDINGS LLC, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOTOROLA MOBILITY LLC;REEL/FRAME:034625/0001

Effective date: 20141028

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8